[ntp:hackers] Workflow and issues surrounding security
David L. Mills
mills at udel.edu
Sat Aug 26 03:06:17 UTC 2006
I will not sign anything of the sort. My experience with Sun and the
DARTNET consortium flashes blinking, brilliant red lights.
todd glassey wrote:
> Here is what I suggest Harlan and David -
> 1) That ALL individuals working in the NTP effort execute
> Hold-harmless agreements. And that a Hold-Harmless agreement is placed in
> the License for the Code and that it is propagated as a compiled ASCII
> String in the actual executable. This way the Code is branded permanently
> inside the executable.
> 2) That all of the partnering companies also sign an agreement to
> hold the NTP development team harmless for anything done in extending,
> supporting, or characterizing NTP which opens or illustrates security
> liabilities already existing in the Partnering Company's products.
> 3) That there is also a very clear statement that any and all
> security issues with NTP and its packaging are the
> distributor/reseller/vendor's responsibility to address. And that like
> #1 it
> also is encoded into the executable.
> 4) The NTP.ORG upper management team may also want to consider this -
> that it have Cignacert or one of the other branding company's that
> work with
> NIST to start a program for branding the code.
> This might even include you Judah - Wyatt Starnes the CEO of Cignacert is
> part of Hratch S's team of advisors so it would make sense for NIST to use
> them for certifying the NIST NTP footprint.
> None of this of course applies to the USNO or NIST instances of NTP
> they already belong to the people as it were.
> Just my two cents as a lay guy.
> ----- Original Message -----
> From: "todd glassey" <tglassey at earthlink.net>
> To: "Hal Murray" <hmurray at suespammers.org>; "Harlan Stenn"
> <stenn at ntp.isc.org>
> Cc: "Harlan Stenn" <stenn at ntp.isc.org>; <hackers at ntp.isc.org>;
> <mills at udel.edu>
> Sent: Friday, August 25, 2006 4:29 PM
> Subject: Re: [ntp:hackers] Workflow and issues surrounding security
>> Harlan - while these are noble ideas there is a commercial and fiduciary
>> liability that is created by much of what was discussed here.
>> when you emerge from a Public Access type Org as the NTP Org is, this
>> creates IMHO some serious liabilities by pulling services that people are
>> already dependant on away from them.
>> ----- Original Message -----
>> From: "Harlan Stenn" <stenn at ntp.isc.org>
>> To: "Hal Murray" <hmurray at suespammers.org>
>> Cc: "Harlan Stenn" <stenn at ntp.isc.org>; <hackers at ntp.isc.org>;
>> <mills at udel.edu>
>> Sent: Friday, August 25, 2006 2:56 PM
>> Subject: Re: [ntp:hackers] Workflow and issues surrounding security
>> issueswith NTP
>>>>> Feedback on http://ntp.isc.org/Dev/HandlingSecurityIssues would be
>>>>> greatly appreciated.
>>>> I assume the big picture is to minimize publicity for an exploit until
>>>> gets fixed.
>> This may have legal implications where there is a warranty of fitness or
>> in the license.
>>>> How many vendors have a copy of the sources that they modify and/or
>>>> distribute? Is there any way to contact them? If not, it might be a
>>>> idea to collect a list of people to contact.
>>> At the moment, whoever is working on the bug works with whoever reported
>>> the bug and when a fix is ready we publish it.
>> The problem is that the Vendor's all rely on your testing of the product
>> that is what possibly creates the enduring liability no matter what you
>> to say about it.
>>> For better or worse, to my knowledge we have had >1< CERT report
>>> involving a string overflow with ntpq (or was it ntpdc), and no exploit
>>> was ever demonstrated.
>>> We have been cleaning up some similar overflow/overrun issues as they
>>> are discovered.
>>> We have been fortunate enough to not have to deal with any significant
>>> security issues, but I want to be prepared in case one shows up.
>> You may be legally speaking better off not addressing the security issues
>> all and claiming that they are the responsibility of those using the Code
>> address and if this is made as a decision - the license langusge for the
>> of the code base must reflect this IMHO
>>> I am working on exploring the creation of an "NTP Forum", where
>>> membership in the group would allow for:
>>> - setting product direction and feature priorities
>> Unless you are planning on assuming liability for pulling the rug out
>> under someone then this may be an issue. There should at least be a
>> Hold-Harmless Agreement that one is required to have their Sponsor's and
>> their execution of prior to playing in this sandbox. This is not meant to
>> nasty - just to protect everyone.
>>> - early security vulnerability notices and patch releases
>> This is a real liability since it creates a dependency which will if its
>> ever pulled out from under a relying party will cause more than $5000 in
>> damage making the NTP.ISC.ORG quite suable in both State and Federal
>> under the Computer Fraud and Abuse Act.
>> You will initially probably disagree - but in fact I am right here I bet.
>>> - 3rd line support for integration and complicated customer issues
>> This is a nightmare because support means liability.
>>> - Possibly limiting non-release-candidate development releases to this
>> Since you havent started out that way changing now will also violate the
>> expectations of people relying on these now. Again a liability.
>>> - priority bug fixes
>>> - direct access to developers on a priority basis to discuss strategy
>>> and assist in deployment planning
>> This is a commercial service and that means Liability in spades.
>>> - direct input to further release planning
>>> Please note this is a preliminary list, and >IF< this group is created
>>> the above list is merely the starting point.
>>> I also expect there will be different "membership levels" for the group,
>>> and for certain "higher" membership/benefit levels it will cost money
>>> for commercial (not freeware) organizations to join. There will also be
>>> a very useful number of membership levels that will not cost money.
>>> If you reply to this message with information about the Subject: thread,
>>> great. If you reply to this message with information about the NTP
>>> Forum thread, please change the Subject: accordingly.
>>> hackers mailing list
>>> hackers at support.ntp.org
>> hackers mailing list
>> hackers at support.ntp.org
More information about the hackers