[ntp:questions] Re: Taming the pinball machine

David L. Mills mills at udel.edu
Wed Nov 12 17:16:37 UTC 2003


Maarten,

I am neither defending or denigrating our sysadmin paranoia, but I do
observe security issues seriously bog down the staff from more
productive effort. Yes, we do not in any way block HTTP access, but the
staff requires individual user cgi-bin to be remoted off the main
servers.

Case in point. Awhile back some dude found a stack threat in ntpd, which
is not surprising considering its age. However, I was astonished at the
hyper level of brute anger directed at the programmers. The gaffe was
considered a threat to the infrastructure and integrity of the Internet
universe and to prolong the gaffe even one microsecond was
unforgiveable. The CERT was literally raining on me. After a few days of
analysis I found much of the threat was overinflated and the example
program reputed to expose the problem was in every way bogus. You get a
few of these things in any month and it's easy to become acutely
paranoid.

Dave

Maarten Wiltink wrote:
> 
> "David L. Mills" <mills at udel.edu> wrote in message
> news:3FB12C2C.66DC9238 at udel.edu...
> [...]
> > At one time or another we have blocked large portions of the globe ...
> > guys that trip hosts.deny are advised to contact the sysadmin, who will
> > cheerfully make a hole in the blocked namespace.
> 
> Since I'm in an ADSL block, it wouldn't surprise me if my address were
> on that list.
> 
> The actual access is not important to me personally. It just seems to me
> that this method of access control does nothing but make a server slowly
> converge into total catatonia, and not even proactively but reactively.
> 
> > Further even more, there is no blacklist for the web.
> 
> You mean HTTP access is not restricted?
> 
> Groetjes,
> Maarten Wiltink



More information about the questions mailing list