[ntp:hackers] Privacy: refclock_nmea is now munging lat/long

Hal Murray hmurray at megapathdsl.net
Sat Apr 25 22:32:46 UTC 2009


I'm trying to be a good guy and make sure the about to be released -dev code 
doesn't have any surprises, at least in the way I use it.

I found one.  As a privacy measure, the NMEA driver is now munging some of 
the data that gets logged to clockstats.  It replaces the fractional part of 
the lat/long with underbars.  NMEA uses a weird format for lat/long: 
ddmm.mmmm, so that's truncating the fractional minutes of arc.  A minute of 
arc is roughly a mile.

The comment in the code says that data can leak out via ntpq -c clockvar  
(Yup.)

I can't tell if this is a bug or a feature. 

I'm a certified privacy nut, so part of me thinks this is a great idea.  On 
the other hand, I use that data for monitoring NMEA devices and I don't see 
any easy way to turn off that munging.  (I hacked the source code.)  It's 
also a change.  I doubt if I'm the only one who looks at that data so others 
will probably get surprised too.

This brings up a couple of issues.

Is there a privacy policy for ntpd?  Where does this fit in?

Note that this approach may not actually work.  If you live on a minute 
boundary, the answer will vary between xxxx and xxxx+1.  Or if you are in a 
rural area, you might be the only house within a mile.  (or only geek)


Another issues is changes.  It's hard to fix something without breaking 
something else.  I've been assuming that, at least as much as possible, old 
config files and code that looks at log files should just keep working.  If a 
change is desired, the new behavior should require an edit to the config file.

Yes, the fine print of the lat/long is pretty obscure and not a good example 
of a significant change, and yes maybe the default for security/privacy 
should be do-the-right-thing rather than backward compatibility.  At a 
minimum, I think changes like this should be mentioned in the ChangeLog 
rather than getting lumped under a general cleanup or fixing a bug that isn't 
related.

Is there a wiki page or such describing the policy/philosophy of changes?



My personal opinion is that this is going too far.  If you are seriously 
worried about that level of privacy you should probably disable/restrict ntpq 
probes.

At a minimum, there should be some simple way, like a configure parameter to 
turn this on/off.  Better would be a run-time flag from the config file so 
people using a pre-compiled version shipped with their distribution don't 
have to learn how to compile ntpd from sources.  Or maybe the pre-munged 
version should be written to the log file.  Or ...





-- 
These are my opinions, not necessarily my employer's.  I hate spam.





More information about the hackers mailing list