[ntp:questions] Due diligence

Brad Knowles brad at stop.mail-abuse.org
Sun May 1 19:34:24 UTC 2005

At 8:18 AM -0700 2005-05-01, Lee Sailer wrote:

>  As I am sure that you all know, there is a legal concept of "due
>  diligence".  More of less, this means that you are trying to do things
>  right, even if you are not doing things perfectly.  (I am not a lawyer.
>   No flames, please.)

	My wife is a lawyer.  I am familiar with the concept.

>  HP-UX ships with version 3.5f of xntpd (I think). For those NTP buffs
>  out there, do you think the use of this old version is good enough to
>  show due diligence?  My company supplies financial services (not time
>  services) to cusotmers world-wide.  We use NTP internally to keep our
>  hosts in sync.

	I think a lot depends on the type of services and how 
time-sensitive your services are.  For example, a local accountant 
who handled the taxes for private individuals would probably not need 
a great deal of accuracy in their system clock.  However, an 
Investment bank with whole rooms full of Wallstreet stock traders, 
would have much higher requirements for clock accuracy.  Both firms 
provide "financial services", the issue is what kind of services, how 
much money is being handled, and how much does a single second of 
downtime cost you?

	Obviously, you probably fall between these two extremes.  But I 
think you need to get a good idea of what kinds of problems are found 
in the older version of the software, what problems have been 
corrected, what additional features (and accuracy) can be provided by 
the modern software, etc....  Then, you need to get some guidance 
from your lawyers as to how much potential loss might be acceptable, 
if you're not running the absolute latest software.

	As you go through this, keep in mind that the cost of upgrading 
is minimal, even if you have to buy all new hardware with hardware 
reference clocks.  The software itself is open source, and all you 
should need is a pretty basic OS install, plus possibly the 
refclocks.  You might be talking a few thousand dollars to help 
ensure that you're running the latest software on adequate hardware 
in an adequate configuration.

	How much might your company lose if the time accuracy wasn't 
there (i.e., what is the risk), and what is the probability that this 
might happen?  If you decide you're talking about a one-in-a-million 
shot that you might suffer a significant clock outage, consider that 
one-in-a-million shots happen a dozen times a day (or more) in large 
cities like Los Angeles, New York, etc....  One-in-a-million-shots 
happen more than once an hour on a site like AOL, with over 35 
million customers.

Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.

More information about the questions mailing list